Keygens For Engineering, Scientific Software Leads To FAKEAV

In the past few weeks, we have seen increasing numbers of infections related to the TROJ_GATAK, especially in the North American region. This malware family is not particularly well known; we discussed it in 2012 in relation with file infectors that were hitting Dutch users.

In checking for its possible causes, we’ve found the malware is currently deployed in the wild as key generators for various applications. They range from expensive, specialized engineering and scientific software, to multimedia editing tools, to benchmarking software, and even to games:

AVEVA_PDMS_v12_0_keygen.exe

AllData_10_40_keygen.exe

Bigasoft_MKV_Converter_3_7_18_4668_keygen.exe

CambridgeSoft_ChemBioOffice_Ultra_v13_0_Suite_REMEDY_keygen.exe

Cockos_REAPER_4_581_Final_keygen.exe

Fireplace_3D_Screensaver_and_Animated_Wallpaper_3_0_keygen.exe

GeekBench_2_2_3_keygen.exe

Guaranteed_PDF_Decrypte_v3_11_keygen.exe

Macrium_Reflect_Professional_5_2_6433_keygen.exe

Magical_Diary_Horse_Hall_keygen.exe

Nuance_Dragon_Naturallyspeaking_12_0_Premium_Iso_keygen.exe

Oloneo_PhotoEngine_v1_0_400_306_keygen.exe

RadioSure_Pro_2_2_1004_0_keygen.exe

Reg_Organizer_6_11_Final_Portable_keygen.exe

The_Bat_Home_Edition_5_0_24_keygen.exe

The_Precursors_1_1_keygen.exe

Wolfram_Mathematica_9_keygen.exe

We detect this malware as TROJ_GATAK.FCK. If users download and run this file – in the belief that it is a key generator – it will drop a file under the %AppData% folder (also detected as TROJ_GATAK.FCK) and create a corresponding autostart registry entry.

This dropped file poses as a legitimate file related to Google Talk or Skype; alternately it might use the generic name AdVantage.exe. It drops an encrypted file in a randomly created folder under %Application Data%\Microsoft. This will later be decrypted in memory.

This decrypted file contains shell code and the URLs where to download the payload. Some variants download an image file that contains the encrypted code, with the image looking like this. It appears to be a stock photo from Sri Lanka:

Figure 1. Downloaded image

The payload in this particular attack is fake antivirus software (FAKEAV) that, as is the case with all FAKEAV malware, displays fake virus detection alerts and asks the user to pay in order to successfully clean the machine. This variant is detected as TROJ_FAKEAV.SMWV.